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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.1 14, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.1 14. Applicant's submission filed on 12/24/2008 has been entered. 

Response to Arguments 

2. In communications filed on 12/24/2008, applicant amends claims 1, 8-13, and 15-17, and 
19-21. The following claims 1-22 are presented for examination. 

2. 1 Applicant's arguments filed on 12/24/2008 have been fully considered but they are not 
persuasive. Regarding claim 8, applicant argues about paragraph 47 for not disclosing baseline 
list and current list of port and/or service protocol. Examiner respectfully disagrees as other 
citations show that the profiles contain measures or values of port and/or service protocol (see 
for instance par. 36 and rejection below). Regarding claim 9, applicant requests more 
discussions about the paragraphs cited, more explanation is provided in the rejection below. It is 
noted that discovery, intrusion, and anomalities detected are indication of new service. 
Regarding claims 10 and 14, applicant's arguments are moot as a new ground of rejection and/or 
more detailed explanation are provided below. Regarding applicant's arguments about 
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Examiner's official notice, specific prior art and citations were provided on page 3 of the 
remarks (see for instance, Bruton and Cooper) contrarily to as argued by applicant. It appears 
that Applicant conceded on the citations of Bruton and Cooper by relying on a typo error in the 
citation in Kekik to support his arguments. Regarding claim 1, applicant argues about the prior 
art not disclosing a range. Examiner respectfully disagrees because according to the 
specification, a range may be a selection of a specific host, or any host in a specific role, or any 
host in a specific segment or anywhere in the network. Therefore the claim recitations have been 
met by the prior art. Therefore, upon further consideration, applicant has not overcome the 
rejection of claim 1. In view of the above the claims remain rejected. 

Claim Objections 

3. Claim 8 and the intervening claims are objected to because of the following informalities: 
the claim recites "longer duration that a current period". Appropriate correction is required. 

Claim Rejections - 35 USC § 112 

4. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and 
distinctly claiming the subject matter which the applicant regards as his invention. 

4.1 Claims 9, 16, and the intervening claims are rejected under 35 U.S.C. 1 12, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject 
matter which applicant regards as the invention. 

4.2 Claims 9 and 16 recite "determine if the host is providing or using the new service". The 
claims can be interpreted in the alternative for determining if the host is providing or using the 
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new service rather than different determination i.e. determining whether the host is providing or 
using the new service. Also, "providing the new service" is described in the original 
specification as sending traffic using the protocols not in the list, it appears that "providing" and 
"using" as described are similar terms since "using the new service" would also require using 
protocols not on the list. 



Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 

Claims 8-22 are rejected under 35 U.S.C. 103(a) as being unpatentable over US Patent 
Publication 2004/0010718 to Porras et al in view of US Patent 7,492,720 to Pruthi et al. 

As per claim 8, Porras et al substantially discloses a method for detection of a new 
service involving an entity, the method comprises: Porras et al discloses monitoring network 
activity of an entity (see page 1, paragraph 1 1) that meets the recitation of entity being tracked, 
which includes analyzing event records such as port and or service protocols (see page 3, 
paragraphs 33 and 36) the method includes collecting statistical measures that includes port and 
or service protocols (see paragraphs 74 and 76) over a period of time (for instance, paragraphs 
37-38 disclose how data may be collected over time) comprising the most recent data represented 
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as short-term statistical profiles (current list) and the normal, non-recent, data as long-term 
statistical profiles (baseline list) of an entity being monitored (see page 1, paragraphs 1 1 and 15, 
and paragraphs 40-41 and 74 and 76-77) that meets the recitation of retrieving a baseline list of 
port and/or service protocols used by a host being tracked, the baseline list listing service and/or 
port protocols over a baseline period that is of a longer duration than a current period. Porras 
et al discloses adjusting short term profiles for measure values observed in the event record, (see 
par. 41) the event record contains event streams and the measure values indicate port and/or 
service protocols (par. 71, 74, and 76-78) that meets the recitation of retrieving a current list of 
service and/or port protocols for the current period used by the host being tracked; Porras et al 
further discloses a comparison is made between the long-term and short-term profiles wherein 
the difference between them indicates suspicious network activity or abnormal activity (see page 
1, paragraphs 1 1 and 15) or discovery of new service (see page 3, paragraphs 33 and 36 and page 
4, paragraph 47) that meets the recitation of determining whether there is a difference in the 
protocols, by having a protocol that was in a current list but was not in the baseline list; and if 
there is a difference; indicating a new service involving the tracked host. As interpreted by the 
Examiner, the profile contains network activities (par. 40) and measures that describe network 
connections, which include service protocols (par. 71) monitored over long and short time period 
recorded in long-term and short-term profiles respectively (par. 37-38) and the difference of 
these measures in long-term and short-term profiles indicate network intrusion (see par. 71). 

In the event that the long-term and short-term profiles of statistical measures of network 
connections are not well-founded as interpreted by Examiner as disclosing the baseline list and 
short term list, Pruthi et al in an analogous art discloses host connection table for service 
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protocols over a first and second time periods of time wherein the second time period is longer 
than the first time period (see columns 16, line 24 through column 18 with figs. 11-18 disclosing 
the connection tables with list of port and/or service protocols and claim 1 disclosing first and 
second time periods). Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to implement the profiles in connection tables as disclosed by 
Pruthi et al so that the list of port and/or service protocols are easier for sorting and comparing 
the data in the tables (see for instance, column 16, lines 31-64 and column 17, line 51 through 
column 18, line 3) as suggested by Porras et al. 

As per claim 9, the references as combined above disclose determining if the entity is 
providing or using the new service (see Porras et al, page 4, paragraph 47 showing discovery of 
new service used by host, see also paragraph 74 disclosing traffic in and out showing indication 
of network intrusion (new service)). 

As per claim 1 1, the references as combined above disclose retrieving a value 
corresponding to the alert severity level set for violation of the rule (see Porras et al, page 6, 
paragraph 67). 

As per claim 12, the references as combined above disclose wherein a property of the 
host being tracked is that the host is at least one of a specific host, any host in a specific role, 
any host in a specific segment, or any host (see Porras et al, page 1, paragraph 10). 
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As per claim 13, the references as combined above disclose wherein the extent of the 
determining is configured for that host, in its role, in its segment or anywhere in the network (see 
Porras et al, page 1. paragraph 7). 

As per claims 15, 16, 19, 20, and 21, these claims recite the same limitation as claims 8, 
9, 11, 12, and 13 respectively except for incorporating the claimed method into a computer 
program. Porras et al discloses implementing the invention into a computer readable medium 
containing instructions (see page 8, paragraph 81). Therefore, claims 15, 16, 19, 20, and 21, are 
rejected on the same rationale as the rejection of claims 8, 9, 11, 12, and 13. 

As per claim 18, the references as combined above disclose wherein instructions to 
indicate further comprise instructions to issue an alert if the new service is detected (see Porras 
et al, page 7, paragraph 71). 

As per claim 10, Porras et al substantially discloses determining whether the activity 
exceeds a threshold value when the entity is using a new service (unknown port) and if the 
threshold exceeds and the entity is using a new service, anomaly is detected (see page 4, 
paragraphs 47 and 48). Porras et al suggests using a countermeasure response to report the 
anomaly (see pages 6-7, paragraphs 67 and 71). Although not using the same terms as the claim 
language it is apparent to one of ordinary skill in the art of intrusion detection that a rule for 
issuing an alert may be defined as exceeding a threshold value which indicates an attack as 
disclosed Porras et al and producing a countermeasure response or reporting the attack in 
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response to detecting can be reasonably interpreted as generating an alert. As known in the art, 
in an attack-response method when an attack is detected according to a specified rule, an alert is 
generated. Therefore, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to issue an alert if is determined whether a rule specifies to issue an alert 
if the entity is providing or using the new service; and if it is also determined that the entity is 
providing or using the new service so as to protect the network from more global attacks by 
taking further actions (see page 7. paragraph 68) or by alerting other entities (see page 2, 
paragraph 16) as suggested by Porras et al. 

As per claim 14, Porras et al substantially discloses measuring network connections and 
using a statistical profile to make the comparison (see page 1 , paragraph 1 -2) but does not 
explicitly disclose that the statistical profile is represented as a connection table. Examiner takes 
official notice that it is very well known in the art that network events can be represented in a 
form of a table and it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the statistical profile of measures of network connections of 
Pruthi et al and implement it in a connection table so as to make it easier for reading, editing, 
and interpreting the data as known in the art. 

As per claim 17, Porras et al substantially discloses determining whether the activity 
exceeds a threshold value when the entity is using a new service (unknown port) and if the 
threshold exceeds and the entity is using a new service, anomaly is detected (see page 4, 
paragraphs 47 and 48). Porras et al suggests using a countermeasure response to report the 
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anomaly (see pages 6-7, paragraphs 67 and 71). Although not using the same terms as the claim 
language it is apparent to one of ordinary skill in the art of intrusion detection that a rule for 
issuing an alert may be defined as exceeding a threshold value which indicates an attack as 
disclosed Porras et al and producing a countermeasure response or reporting the attack in 
response to detecting can be reasonably interpreted as generating an alert. As known in the art, 
in an attack-response method when an attack is detected according to a specified rule, an alert is 
generated. Therefore, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to issue an alert if is determined whether a rule specifies to issue an alert 
if the entity is providing or using the new service so as to protect the network from more global 
attacks by taking further actions (see page 7, paragraph 68) or by alerting other entities (see page 
2, paragraph 16) as suggested by Porras et al. 

As per claim 22, Porras et al substantially discloses collecting statistical measures to 
provide the most recent data represented as short-term statistical profiles (current list) and the 
normal, non-recent, data as long-term statistical profiles (baseline list) (see page 1, paragraph 1- 
2, paragraphs 1 1 and 15, page 3, paragraphs 33 and 36 and page 4, paragraph 40), but does not 
explicitly state that the statistical measures are represented in a table. Examiner takes official 
notice that it is very well known in the art that network events can be represented in a form of a 
table and it would have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify the statistical profile of measures of network connections of Pruthi et al 
and implement it in a connection table so as to make it easier for reading, editing, and 
interpreting the data as known in the art. 
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6. Claims 1-7 are rejected under 35 U.S.C. 103(a) as being unpatentable over US Patent 
Publication 2004/0010718 to Porras et al in view of US Patent 7,492,720 to Pruthi et al in view 
of US Patent 7,047,288 to Cooper et al. 

As per claim 1, Porras et al substantially discloses a graphical user interface (see page 3, 
paragraph 31) for configuring a new service detection process, and discloses tracking an entity in 
the network (see page 1, paragraph 1 1) a method that allows a system to track if the selected 
entity is providing or consuming a service (such as using unknown port protocol) (see pages 4-5, 
paragraphs 40-41, 47-48); depicts a range over which to track the selected entity (see page 3, 
paragraph 35); specifying severity for an alert generated if a new service is detected (see pages 
4-5, paragraphs 41 and 47-48; and pages 6-7, paragraph 67). Porras et al does not explicitly 
disclose the details of the graphical user interface. However, it would have only required routine 
skill in the art to implement the steps above into fields in a graphical user interface to make it 
interactive. Pruthi et al in an analogous art discloses host connection table for service protocols 
(see columns 16, line 24 through column 18 with figs. 11-18 disclosing the connection tables 
with list of port and/or service protocols) wherein a host can be selected and set of packets 
belonging to different services are displayed (see fig. 22 and column 19, lines 35-54). For 
instance figs. 16-18 show entities to be tracked and a selection wherein as shown in fig. 19 
displays a range over which to track an entity selected in figs. 16-18 (see for instance, column 
17, line 37 through column 18, line 3). Cooper et al in an analogous art teaches generating a 
human readable English language description of a formal specification of network security 
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policy that allows non-technical user within a user's organization to comprehend the policy by 
making the description simple enough to be understood (see abstract). Cooper et al discloses a 
graphical user interface (see for instance fig. 9) that includes several fields including field for 
specifying a host name, field for service being tracked (see figs. 9 and 31) that meets the 
recitation of a first field that depicts choices for entities to track in the network, field for 
specifying a range of the entity being tracked (see fig. 10A specifying a range in the network 
such as an Intranet domain) and field specifying a severity for an alert generated (see fig. 9). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify Porras et al to implement the method disclosed by Porras et al into a 
graphical user interface represented by fields as disclosed in Cooper et al. One of ordinary skill 
in the art would have been recognized the advantages disclosed by Cooper et al who teaches 
generating a human readable English language description of a formal specification of network 
security policy that allows non-technical user within a user's organization to comprehend the 
policy by making the description simple enough to understood (see abstract). 

As per claim 2, the references as combined above disclose wherein the fields are 
linguistically tied together on the interface to form a sentence that corresponds to a rule (see 
Cooper et al, column 28, lines 10-5 1 and fig. 12). Claim 2 is therefore rejected on the same 
rationale as the rejection of claim 1 above. 

As per claim 3, the references as combined above disclose updating new rules in a 
database that meets the recitation of a list of new service detection rules stored in the detection 
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system (see Cooper et al, column 68, lines 14-67). Claim 3 is therefore rejected on the same 
rationale as the rejection of claim 1 above. Claim 4 is therefore rejected on the same rationale as 
the rejection of claim 1 above. 

As per claim 4, the references as combined above disclose a field that allows a user to 
specify the entity to track as a specific host, any host in a specific role, any host in a specific 
segment, or any host (see Porras et al, page 1, paragraph 10 and Cooper et al, fig. 31 and fig. 
9). 

As per claim 5, the references as combined above disclose a field that specifies details for 
the extent of the comparison for the entity specified in the first field as host, in its role, in its 
segment or anywhere in the network (see Cooper et al, figs. 9, 10C, and 31). Claim 5 is 
therefore rejected on the same rationale as the rejection of claim 1 above. 

As per claim 6, the references as combined above disclose the claimed method of claim 
1 . Porras et al also discloses wherein event severity is a numerical value (see Porras et al, page 
6, paragraph 67) and Cooper et al discloses a graphical interface for entering severity value (see 
Cooper et al, fig. 9). Claim 6 is therefore rejected on the same rationale as the rejection of claim 
1 above. 
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As per claim 7, the references as combined above disclose the claimed method of claim 
1 . Cooper et al further discloses pull down menu for inputting the information in the fields (see 
fig. 31). Claim 7 is therefore rejected on the same rationale as the rejection of claim 1 above. 

Conclusion 

7. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure as the prior art discloses several of the claimed features such as graphical user 
interface for implementing network detection and comparing recent event detection with known 
event to determine that new service is detected. (See PTO-form 892). 

7. 1 Any inquiry concerning this communication or earlier communications from the 

examiner should be directed to CARL COLIN whose telephone number is (571)272-3862. The 

examiner can normally be reached on Monday through Thursday, 8:00-6:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

supervisor, Nasser G. Moazzami can be reached on 571-272-4195. The fax phone number for 

the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Primary Examiner, Art Unit 2436 
March 3, 2009 



